WordPress Security Best Practices
WordPress is secure by default, but following these best practices will significantly reduce your risk of being hacked.
1. Use a Strong Admin Password
Your WordPress password is the keys to your site. Make it strong:
- At least 20 characters long
- Mix of uppercase, lowercase, numbers, and symbols
- Avoid dictionary words and personal information
- Use a password manager like Bitwarden or 1Password
You can generate a strong password in WordPress: Users → Your Profile → Generate Password.
2. Keep WordPress Updated
Update WordPress, themes, and plugins as soon as updates are available. Updates fix security vulnerabilities.
Most updates are automatic on our hosting, but check Dashboard → Updates regularly to be sure.
3. Use Security Plugins
We recommend these free WordPress security plugins:
- Wordfence Security — Firewall and malware scanner
- Sucuri Security — Malware detection and hardening
- iThemes Security — Two-factor authentication and backups
Install one and run a security scan.
4. Limit Login Attempts
Use a plugin to prevent brute-force attacks that try thousands of passwords:
- Wordfence (built-in)
- Limit Login Attempts Reloaded
5. Remove Unused Admin Accounts
Delete any unused WordPress user accounts. Go to Users → All Users and delete accounts you don't need.
6. Use an SSL Certificate
All Webfort accounts include free SSL certificates. Make sure your site uses HTTPS (https:// not http://).
Check Settings → General and ensure both URLs start with https://.
7. Regular Backups
We automatically backup your site daily, but we also recommend plugin backups:
- UpdraftPlus — Backs up to cloud storage (Google Drive, Dropbox, etc.)
- Backwpup — Simple scheduled backups
8. Disable File Editing
Add this line to wp-config.php via cPanel File Manager to disable theme/plugin editing:
define('DISALLOW_FILE_EDIT', true);
